Summary
On a Mendix 10.24 project, any operation that triggers mxcli's access-rule reconciliation — UPDATE SECURITY [IN <Module>], but also a plain CREATE ASSOCIATION in that module (output: Reconciled N access rule(s) ...) — strips all inherited members (attributes and associations coming from a generalization) from the access rules of every specialized entity in that module. Own (non-inherited) members are kept. A rule that consisted only of inherited members ends up empty (CE0004).
Two aggravating factors make this dangerous:
- The damage is masked. After the reconciliation,
mx check only reports CE0066 ("Entity access is out of date...") on the module (plus CE0004 if a rule ended up empty). The real damage — a large CE2729 cascade ("No read access to attribute 'X' in entity 'Y' for user role 'Z'") on every page/widget that uses the stripped inherited members — is suppressed while CE0066 is present. It only renders after clicking Update security in Studio Pro. In our case that was 172 hidden CE2729 errors behind an apparently "almost clean" mx check. CLI-only/AI-agent workflows will happily ship this state.
- The damage cannot be repaired via mxcli.
GRANT <role> ON <Module>.<SpecializedEntity> (READ (InheritedAttr, ...), WRITE (...)) prints Granted access ... but does not persist: a subsequent DESCRIBE ENTITY shows no rule members and mx check still reports CE0004. REVOKE + fresh GRANT behaves the same. Only Studio Pro can restore these rules (or a git restore of the model).
Environment
- mxcli v0.16.0 (windows-amd64)
- Mendix project version 10.24.16.96987 (.mpr v2 with
mprcontents/)
- Validation:
mx.exe check from the matching Studio Pro 10.24.16 installation
Reproduction
Starting point: a project where mx check reports 0 errors, containing in MyModule:
MyModule.Attachment extends System.FileDocument with an access rule for role Editor: read (FileID, DeleteAfterDownload, HasContents, Size, Name, Contents), write (Name, Contents) — i.e. only inherited members;
MyModule.Item extends OtherModule.Base with access rules containing a mix of own and inherited members.
Steps:
mxcli -p App.mpr -c "UPDATE SECURITY IN MyModule"
# output: Reconciled 4 access rule(s) in module MyModule
Result:
DESCRIBE ENTITY MyModule.Attachment → the entity now renders without any grant (rule stripped empty).
DESCRIBE ENTITY MyModule.Item → rules only contain the own members; every inherited attribute/association (including write rights on inherited members) is gone.
mx check → only 2 errors: CE0004 (empty rule on Attachment) + CE0066 (module security out of date). No CE2729 errors are reported at this point.
- Open the project in Studio Pro 10.24 → click Update security → 170+
CE2729 errors appear for pages/widgets referencing the stripped inherited members.
The same reconciliation (and the same stripping) also happens without ever calling UPDATE SECURITY, e.g. when creating an association in the module:
mxcli exec create-association.mdl -p App.mpr
# output: ...
# Reconciled 4 access rule(s) for new association
# Created association: MyModule.Child_Parent
So plain domain-model authoring via MDL silently corrupts the security of other entities in the module.
Failed repair via mxcli
mxcli -p App.mpr -c "GRANT MyModule.Editor ON MyModule.Attachment (READ (FileID, DeleteAfterDownload, HasContents, Size, Name, Contents), WRITE (Name, Contents))"
# output: Granted access on MyModule.Attachment to MyModule.Editor
mxcli -p App.mpr -c "DESCRIBE ENTITY MyModule.Attachment"
# → still no grants rendered; mx check still reports CE0004
REVOKE followed by a fresh GRANT gives the same result. Grants that only touch own members of non-specialized entities persist fine.
Expected behavior
- Reconciliation should preserve rights on inherited members (they are valid access-rule members in Studio Pro).
GRANT on inherited members should persist (or fail loudly instead of reporting success).
- If reconciliation intentionally rewrites rules,
mx check should not understate the result; the CE2729 cascade should be visible without a Studio Pro round-trip.
Possibly related
Summary
On a Mendix 10.24 project, any operation that triggers mxcli's access-rule reconciliation —
UPDATE SECURITY [IN <Module>], but also a plainCREATE ASSOCIATIONin that module (output:Reconciled N access rule(s) ...) — strips all inherited members (attributes and associations coming from a generalization) from the access rules of every specialized entity in that module. Own (non-inherited) members are kept. A rule that consisted only of inherited members ends up empty (CE0004).Two aggravating factors make this dangerous:
mx checkonly reports CE0066 ("Entity access is out of date...") on the module (plus CE0004 if a rule ended up empty). The real damage — a large CE2729 cascade ("No read access to attribute 'X' in entity 'Y' for user role 'Z'") on every page/widget that uses the stripped inherited members — is suppressed while CE0066 is present. It only renders after clicking Update security in Studio Pro. In our case that was 172 hidden CE2729 errors behind an apparently "almost clean"mx check. CLI-only/AI-agent workflows will happily ship this state.GRANT <role> ON <Module>.<SpecializedEntity> (READ (InheritedAttr, ...), WRITE (...))printsGranted access ...but does not persist: a subsequentDESCRIBE ENTITYshows no rule members andmx checkstill reports CE0004.REVOKE+ freshGRANTbehaves the same. Only Studio Pro can restore these rules (or a git restore of the model).Environment
mprcontents/)mx.exe checkfrom the matching Studio Pro 10.24.16 installationReproduction
Starting point: a project where
mx checkreports 0 errors, containing inMyModule:MyModule.Attachment extends System.FileDocumentwith an access rule for roleEditor:read (FileID, DeleteAfterDownload, HasContents, Size, Name, Contents), write (Name, Contents)— i.e. only inherited members;MyModule.Item extends OtherModule.Basewith access rules containing a mix of own and inherited members.Steps:
Result:
DESCRIBE ENTITY MyModule.Attachment→ the entity now renders without any grant (rule stripped empty).DESCRIBE ENTITY MyModule.Item→ rules only contain the own members; every inherited attribute/association (including write rights on inherited members) is gone.mx check→ only 2 errors:CE0004(empty rule on Attachment) +CE0066(module security out of date). No CE2729 errors are reported at this point.CE2729errors appear for pages/widgets referencing the stripped inherited members.The same reconciliation (and the same stripping) also happens without ever calling
UPDATE SECURITY, e.g. when creating an association in the module:So plain domain-model authoring via MDL silently corrupts the security of other entities in the module.
Failed repair via mxcli
REVOKEfollowed by a freshGRANTgives the same result. Grants that only touch own members of non-specialized entities persist fine.Expected behavior
GRANTon inherited members should persist (or fail loudly instead of reporting success).mx checkshould not understate the result; the CE2729 cascade should be visible without a Studio Pro round-trip.Possibly related